US10613993B2 - Method for protecting a program code, corresponding system and processor - Google Patents

Method for protecting a program code, corresponding system and processor Download PDF

Info

Publication number
US10613993B2
US10613993B2 US14/610,924 US201514610924A US10613993B2 US 10613993 B2 US10613993 B2 US 10613993B2 US 201514610924 A US201514610924 A US 201514610924A US 10613993 B2 US10613993 B2 US 10613993B2
Authority
US
United States
Prior art keywords
instruction word
cache
instruction
memory
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US14/610,924
Other versions
US20150220456A1 (en
Inventor
Bruno Fel
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
STMICROELECTRONICS INTERNATIONAL NV
Original Assignee
STMicroelectronics SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by STMicroelectronics SA filed Critical STMicroelectronics SA
Assigned to STMICROELECTRONICS SA reassignment STMICROELECTRONICS SA ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: FEL, BRUNO
Publication of US20150220456A1 publication Critical patent/US20150220456A1/en
Application granted granted Critical
Publication of US10613993B2 publication Critical patent/US10613993B2/en
Assigned to STMICROELECTRONICS INTERNATIONAL N.V. reassignment STMICROELECTRONICS INTERNATIONAL N.V. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: STMICROELECTRONICS SA
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/0802Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/125Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/60Details of cache memory
    • G06F2212/603Details of cache memory of operating mode, e.g. cache mode or local memory mode

Definitions

  • the disclosure relates to the protection of program codes intended to be executed by an information processing module, for example but not limitingly a microprocessor.
  • SoC system-on-chip
  • a complex system-on-chip may comprise, in addition to a microprocessor, hundreds of different modules commonly referred to by the person skilled in the art by the acronym IP (Intellectual Property). Most of these modules may contain microcontrollers which execute code. Furthermore, these modules may be used by attackers as entry points for spying, and possibly subsequently modifying the program code executed by the microprocessor.
  • IP Intelligent Property
  • One embodiment provides protection of a program code intended to be executed by a microprocessor, for example, which makes this program code less sensitive to attacks.
  • One embodiment also provides protection of a program code which allows verification of the integrity of this program code.
  • One embodiment furthermore provides a scheme for protecting the program code distributed all along the production and execution sequence, and not only in the startup sequence (better known to the person skilled in the art by the term “boot”).
  • One aspect provides a method for protecting a program code intended to be executed by an information processing module, for example a processor or a microprocessor, comprising at least one level-one cache of a cache memory containing cache lines, each having an address field and a data field, this data field being intended to store instruction words executable by the central unit of the information processing module.
  • an information processing module for example a processor or a microprocessor, comprising at least one level-one cache of a cache memory containing cache lines, each having an address field and a data field, this data field being intended to store instruction words executable by the central unit of the information processing module.
  • the method according to this aspect comprises:
  • DRAM memory dynamic random-access memory
  • the content of a memory location of the first memory for example the DRAM memory
  • the communication medium for example a “network-on-chip” (NoC)
  • NoC network-on-chip
  • the cache memory is a hierarchy of caches and, in addition to the level-one cache, to contain at least one higher-level cache, for example a level-two cache and a level-three cache, in which case the level-three cache may optionally be outside the information processing module.
  • the decryption of the encrypted content is advantageously carried out locally at the level of the level-one cache, that is to say between the level-two cache and the level-one cache, or alternatively downstream of the level-one cache, and the encrypted content delivered to the cache memory remains stored encrypted in the various cache levels of levels greater than or equal to two.
  • the method advantageously comprises decryption of the encrypted content within the information processing module.
  • the method comprises, after the decryption, delivery of the requested instruction word to the central unit.
  • delivery of the requested instruction word to the central unit.
  • no verification of the integrity of this decrypted content is then carried out before delivery of the requested instruction word to the central unit.
  • the method furthermore comprises, before delivery of the requested instruction word, verification of the integrity of the decrypted content and delivery of the requested instruction word if the result of the verification is representative of an integral content.
  • the method comprises:
  • a scheme for protecting the program code is then obtained, which is distributed all along the production and execution sequence of this program code, that is to say during the compilation of the program code, during the delivery of this program code from the FLASH memory to the DRAM memory, and during the execution of the program code, by virtue of the fact that the decryption of the program code portion delivered to the microprocessor in the event of a cache miss is only carried out inside the microprocessor, and more particularly locally at the level of the cache memory.
  • control indication may be a checksum
  • verification of the integrity of the check indication then comprises, after decryption of the encrypted content, a new calculation of a checksum and a comparison of the checksum present in the decrypted content and the newly calculated checksum.
  • the first phase furthermore comprise verification of the integrity of the modified compiled program code before replacement of each second instruction word.
  • the verification of the integrity of the modified program code may here again be carried out with the aid of an additional checksum calculated on the basis of the modified program code.
  • a checksum may be calculated before encryption of the modified program code and storage in the FLASH memory.
  • the first phase may be carried out when launching a startup program.
  • Another aspect provides a system, comprising
  • the decryption means are advantageously configured in order to carry out the decryption of the encrypted content at the level of the level-one cache.
  • control means are configured in order, before the decryption of the encrypted content, to carry out storage of this encrypted content in the data field of a cache line of the cache memory.
  • control means are configured in order, after the decryption of the encrypted content, to carry out storage of the decrypted content in the data field of a cache line of the level-one cache of the cache memory.
  • the decryption means are configured in order to carry out decryption of the encrypted content locally at the level of the level-one cache.
  • control means are configured in order, after the decryption, to deliver the requested instruction word to the central unit.
  • system furthermore comprises verification means configured in order, before delivery of the requested instruction word, to carry out verification of the integrity of the decrypted content and to deliver the requested instruction word if the result of the verification is representative of an integral content.
  • system furthermore comprises
  • the check indication is a checksum
  • the verification means comprise calculation means configured in order to carry out, after decryption of the encrypted content, a new calculation of a checksum and a comparison of the checksum present in the decrypted content and the newly calculated checksum.
  • the processing means furthermore comprise initial verification means configured in order to carry out verification of the integrity of the modified compiled program code before replacement of each second instruction word.
  • the initial verification means may comprise initial calculation means configured in order to calculate an additional checksum on the basis of the modified program code.
  • the system may comprise a startup controller advantageously containing the processing means.
  • the system may be a system-on-chip.
  • Another aspect provides an information processing module, for example a processor or a microprocessor, comprising
  • control means are configured in order, before the decryption of the encrypted content, to carry out storage of this encrypted content in the data field of a cache line of the cache memory.
  • control means are configured in order, after the decryption of the encrypted content, to carry out storage of the decrypted content in the data field of a cache line of the level-one cache of the cache memory.
  • the decryption means are configured in order to carry out decryption of the encrypted content locally at the level of the level-one cache.
  • control means are configured in order, after the decryption, to deliver the requested instruction word to the central unit.
  • the module furthermore comprises verification means configured in order, before delivery of the requested instruction word, to carry out verification of the integrity of the decrypted content of the data field of a cache line and to deliver the requested instruction word if the result of the verification is representative of an integral content.
  • the decrypted content of the data field of a cache line contains an instruction word group comprising first instruction words relating to a compiled program code and a check indication, obtained on the basis of at least some of the first instruction words and located at a reference position in the cache line, which may be the same for all the cache lines, and the verification means are configured in order to carry out verification the integrity of the check indication, an integral check indication being representative of the integral nature of the decrypted content, and if the result of the verification is representative of an integral content, in order to replace, before delivery of the requested instruction word to the central unit, the check indication with a second instruction word, this instruction word being identical for all the cache lines.
  • the second instruction word may be a no operation instruction
  • the check indication may be a checksum
  • the verification means then for example comprise calculation means configured in order to carry out, after decryption of the decrypted content, a new calculation of a checksum and a comparison of the checksum present in the decrypted content and the newly calculated checksum.
  • the reference SYS denotes a system, for example a system-on-chip (SoC), comprising an information processing module 1 , for example a microprocessor, coupled to a communication medium 2 , in the case in point a network-on-chip (NoC).
  • SoC system-on-chip
  • NoC network-on-chip
  • the system SYS comprises a memory 4 , also referred to as the initial memory, for example a nonvolatile memory of the FLASH type, associated with an initial memory controller 3 coupled to the network 2 .
  • the initial memory for example a nonvolatile memory of the FLASH type
  • the system SYS also comprises another memory 6 , also referred to as the first memory, for example a DRAM memory, as well as an associated first memory controller 5 also coupled to the network 2 .
  • the first memory for example a DRAM memory
  • an associated first memory controller 5 also coupled to the network 2 .
  • the system SYS also comprises various modules or IP, 7 (a single one being represented for the sake of simplicity) also coupled to the network 2 .
  • the system SYS comprises a startup controller 18 (“boot controller”), also coupled to the network 2 and configured in order to launch a startup (“boot”) sequence of the system SYS, and in particular of the microprocessor 1 .
  • boot controller a startup controller 18
  • boot controller also coupled to the network 2 and configured in order to launch a startup (“boot”) sequence of the system SYS, and in particular of the microprocessor 1 .
  • the startup controller 18 comprises processing means 180 , themselves comprising initial verification means 1800 including initial calculation means 1801 , which may for example be implemented as software, and which will be returned to in more detail below regarding their function.
  • the microprocessor 1 comprises an interface 10 coupled to the network 2 , a central unit 11 (also known to the person skilled in the art by the acronym CPU: “Central Processing Unit”).
  • a central unit 11 also known to the person skilled in the art by the acronym CPU: “Central Processing Unit”.
  • the processor 1 also comprises a cache memory 12 , which will be assumed here only to be of level 1 comprising a level-1 instruction cache 120 and a level-1 data cache 130 .
  • the processor 1 also comprises a cache controller 14 , as well as control means 15 , decryption means 16 and verification means 17 , the functions of which will be returned to in more detail below.
  • the system SYS furthermore comprises a compiler 19 .
  • the instruction cache 120 comprises cache lines LCH j , each comprising an address field TG j and a data field CHD j .
  • the data field CHD j comprises a plurality of instruction words executable by the central unit 11 of the microprocessor, and the address field TG j comprises the address of the data field CHD j in the first memory 6 .
  • the reference CP denotes a program code intended to be executed by the microprocessor 1 .
  • step 30 the program code CP is compiled and supplemented with specific instruction words, in the case in point no operation instructions (NOP instructions), so as to obtain a compiled and modified program code CPM.
  • NOP instructions point no operation instructions
  • this compiled modified program code CPM comprises instruction word groups J i .
  • Each instruction word group J i comprises first instruction words MI 1 resulting from the compilation of the program code and a second instruction word, in the case in point an NOP instruction, all the second instruction words being identical and located at the same position in the corresponding instruction groups.
  • the NOP instruction is placed at the last place of each instruction group J i .
  • the second instruction word could be an instruction other than the NOP instruction, but this would then require the sacrifice of a register of the microprocessor because such an instruction can be executed by the processor.
  • the compiler 19 carries out a calculation 31 of a checksum CHS 1 on the basis of at least some, and in practice all, of the instruction words of the compiled modified program code.
  • the compiled modified program code CPM, as well as the checksum CHS 1 are encrypted (step 32 ) by conventional encryption means, which may be incorporated in the compiler 19 .
  • an algorithm of the AES type may be used as the encryption algorithm.
  • the modified, compiled and encrypted program code is then stored (step 33 ) under the control of the memory controller 3 , in memory locations EM 0 i of the initial memory 4 . These memory locations correspond to data fields of cache lines.
  • the protection method then comprises a first phase, advantageously carried out during the startup (“boot”) phase 34 of the processor.
  • the operations which will now be described are typically carried out by the startup controller 18 .
  • the processing means 180 of the startup controller 18 carry out decryption 35 of the compiled modified program code and of the checksum CHS 1 , which are stored in the initial memory 4 and extracted from this memory via the memory controller 3 .
  • the initial verification means 1800 then carries out verification 36 of the checksum CHS 1 . More particularly, in a conventional way, the initial calculation means 1801 are configured in order to calculate again an additional checksum on the basis of the modified program code CPM, and the initial verification means 1800 compare the checksum CHS 1 with the additional checksum which has just been calculated (step 37 , FIG. 4 ).
  • specific error handling 38 may be applied.
  • the content of such error handling varies depending on the applications and may for example consist in blocking the system SYS.
  • the processing means 180 determine (step 39 ) for each instruction group J i a checksum CHS 2 i obtained on the basis of the instruction words MI 1 and NOP of the group J i and replace the second instruction word, in the case in point the NOP instruction, with this checksum CHS 2 i , so as to form a modified instruction group JM i .
  • the processing means 180 then carries out encryption 40 of the modified instruction groups JM i and stores them (step 41 ) via the memory controller 5 in the memory locations EM 1 i of the first memory 6 .
  • the program code is ready to be executed by the microprocessor 1 .
  • the control means 15 which in practice may for example be implemented as software within the cache controller 14 , verify by comparison of addresses in the various address fields TG j of the cache 12 whether this instruction word MI is present in a cache line LCH of the cache 120 .
  • control means deliver on the network 2 (step 52 ) a command CMD to read the encrypted content of the memory location of the first memory 6 containing the requested instruction word.
  • This command consequently contains the address of this memory location.
  • the memory controller 5 then extracts from this memory location its encrypted content, that is to say the modified encrypted instruction group, which is assumed in this example to be the group JM j .
  • the memory controller then delivers this encrypted group JM j on the network 2 to the microprocessor 1 (step 54 ).
  • the decryption means 16 which may also be implemented as software within the cache controller 14 , then carry out decryption 55 of the modified encrypted instruction group JM j , and the verification means 17 , which may also be incorporated as software within the cache controller, carry out verification 56 of the integrity of this decrypted content, that is to say of the decrypted modified instruction group JM j .
  • the verification means will verify the integrity of the checksum CHS 2 j (step 57 ).
  • This verification is carried out in a conventional way by recalculation of a new checksum CHS 2 ′ j and by a comparison of the received checksum CHS 2 j and the calculated checksum CHS 2 ′ j .
  • the cache controller may implement specific error handling 58 .
  • the verification means 17 replace the checksum CHS 2 j with the second instruction word, in the case in point the NOP instruction, so as to obtain again the instruction group J j which had been obtained at the end of step 30 in FIG. 3 .
  • This instruction group J j which comprises the first instruction words MI 1 and the NOP instruction, is then stored (step 60 ) in the data field of a cache line, in the case in point the cache line LCH m .
  • the requested instruction word MI is then delivered (step 61 ) to the central unit 11 with a view to its execution, in which case the requested instruction word MI may be either one of the instruction words MI 1 or the NOP instruction.
  • step 51 the requested instruction word MI already belongs to a cache line LCH its delivery is carried out directly (step 61 ).
  • step 70 after delivery of the encrypted modified instruction group JM j to the microprocessor 1 , storage of this encrypted group JM j in a cache line, in the case in point the cache line LCH m , may be carried out directly (step 70 ).
  • the decryption means 16 then carry out the decryption of the modified instruction group JM j (step 71 ), and the verification means 17 carry out (step 72 ) verification of the integrity of the decrypted modified instruction group in a similar way to that described above with reference to step 56 of FIG. 5 .
  • error handling 74 is implemented.
  • the verification means then carry out (step 75 ) replacement of the checksum CHS 2 j with the NOP instruction in a similar way to that described with reference to step 59 of FIG. 6 , so as to restore the instruction group J j then, in step 76 , deliver the requested instruction word MI.
  • step 71 of FIG. 7 is proceeded to directly (step 81 ) in order then to carry out steps 72 , 73 , optionally 74 , 75 and 76 .
  • step 90 in the case in which the requested instruction word MI belongs to a cache line LCH (step 90 ), for example the cache line LCH m already decrypted, that the verification processing is carried out not before the storage of the decrypted content in the cache line but after the storage, before delivery of the requested instruction word.
  • step 91 leads directly to step 56 of FIG. 5 so as to execute steps 56 , 57 , optionally 58 and 59 to 61 .
  • the cache memory comprised only a level-one cache.
  • the cache memory may be a hierarchy of caches and comprise caches of different levels, for example a level-one cache 120 1 , a level-two cache 120 2 and a level-three cache 120 3 .
  • Some of these caches may even be located outside the microprocessor.
  • any content decryption will be carried out only either between the level-two cache and the level-one cache or downstream of the level-one cache before delivery of the instruction word to the central unit.
  • any content extracted from the memory 6 will remain encrypted so long as it remains present in a cache of a level higher than level one.
  • Each cache is associated with a cache controller.
  • the content of the corresponding cache line of the level-two cache remains encrypted in the level-two cache and is delivered by the level-two cache controller to the level-one cache controller.
  • the latter may then store the encrypted content in the cache line of the level-one cache before the decryption, or may alternatively carry out the decryption first before storage.
  • the encrypted content extracted from the DRAM memory is delivered to the level-three cache controller, which is assumed here to be outside the microprocessor.
  • the level-three controller may either update the level-3 cache by storing the encrypted content therein then deliver the encrypted content to the microprocessor, and more particularly to the level-two cache controller, or may alternatively deliver the encrypted content directly to the level-two cache controller before updating the level-three cache.
  • the level-two cache controller may either update the level-2 cache by storing the encrypted content therein then deliver the encrypted content to the level-one cache controller, or alternatively deliver the encrypted content directly to the level-one cache controller before updating the level-two cache. Furthermore, here again, the level-one cache controller may then store the encrypted content in the cache line of the level-one cache before decryption, or alternatively carry out the decryption first before storage.
  • system is not necessarily a system-on-chip (SoC) but may, for example, comprise a processor and external memories connected on a board and mutually coupled by a conventional bus.
  • SoC system-on-chip
  • a means, or module, as used herein may include a hardware module, such as one or more electronic circuits; a software module, such as one or more processor-executable instructions or one or more representations of processor-executable instructions; or a combined hardware and software module.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Memory System Of A Hierarchy Structure (AREA)
  • Storage Device Security (AREA)

Abstract

Program code intended to be copied into the cache memory of a microprocessor is transferred encrypted between the random-access memory and the processor, and the decryption is carried out at the level of the cache memory. A checksum may be inserted into the cache lines in order to allow integrity verification, and this checksum is then replaced with a specific instruction before delivery of an instruction word to the central unit of the microprocessor.

Description

BACKGROUND Technical Field
The disclosure relates to the protection of program codes intended to be executed by an information processing module, for example but not limitingly a microprocessor.
The disclosure applies more particularly but not exclusively to “systems-on-chip” (SoC).
Description of the Related Art
Currently, a complex system-on-chip may comprise, in addition to a microprocessor, hundreds of different modules commonly referred to by the person skilled in the art by the acronym IP (Intellectual Property). Most of these modules may contain microcontrollers which execute code. Furthermore, these modules may be used by attackers as entry points for spying, and possibly subsequently modifying the program code executed by the microprocessor.
BRIEF SUMMARY
One embodiment provides protection of a program code intended to be executed by a microprocessor, for example, which makes this program code less sensitive to attacks.
One embodiment also provides protection of a program code which allows verification of the integrity of this program code.
One embodiment furthermore provides a scheme for protecting the program code distributed all along the production and execution sequence, and not only in the startup sequence (better known to the person skilled in the art by the term “boot”).
One aspect provides a method for protecting a program code intended to be executed by an information processing module, for example a processor or a microprocessor, comprising at least one level-one cache of a cache memory containing cache lines, each having an address field and a data field, this data field being intended to store instruction words executable by the central unit of the information processing module.
The method according to this aspect comprises:
a) storage of the compiled and encrypted program code in memory locations of a first memory, for example a dynamic random-access memory (DRAM memory), external to the information processing module, these memory locations corresponding to data fields of cache lines, and
in the event of a request by the central unit for an instruction word not present in the data field of a cache line of the cache memory,
b) extraction from the first memory of the encrypted content of the memory location containing the requested instruction word, and delivery of this encrypted content to the information processing module, and
c) decryption of the encrypted content within the information processing module.
Thus, in the event of a “cache miss”, the content of a memory location of the first memory, for example the DRAM memory, is delivered encrypted on the communication medium, for example a “network-on-chip” (NoC), to the microprocessor, which carries out the decryption only inside itself, and more particularly locally at the level of the cache memory. For this reason, no unencrypted content of a part of the program code is accessible by an attacker at an entry point of the system.
It is possible for the cache memory to be a hierarchy of caches and, in addition to the level-one cache, to contain at least one higher-level cache, for example a level-two cache and a level-three cache, in which case the level-three cache may optionally be outside the information processing module. In this case, the decryption of the encrypted content is advantageously carried out locally at the level of the level-one cache, that is to say between the level-two cache and the level-one cache, or alternatively downstream of the level-one cache, and the encrypted content delivered to the cache memory remains stored encrypted in the various cache levels of levels greater than or equal to two.
This being the case, there are several possibilities in respect of the time of this decryption in relation to the storage in the cache memory.
Thus, it is possible to carry out, before the decryption of the encrypted content, storage of this encrypted content in the data field of a cache line of the cache memory. In other words, the encrypted content is first stored in the cache memory before carrying out the decryption.
As a variant, it sometimes appears preferable to carry out decryption of the encrypted content then, after this decryption, storage of the decrypted content in the data field of a cache line of the level-one cache of the cache memory.
According to one embodiment, in the event of a request by the central unit for an instruction word already present in an encrypted content of the data field of a cache line of the cache memory, the method advantageously comprises decryption of the encrypted content within the information processing module.
According to a simplified variant, the method comprises, after the decryption, delivery of the requested instruction word to the central unit. In other words, for example, no verification of the integrity of this decrypted content is then carried out before delivery of the requested instruction word to the central unit.
This being the case, in order to further increase the level of security, it is preferable to carry out verification of the integrity of the program code.
Thus, according to one embodiment, the method furthermore comprises, before delivery of the requested instruction word, verification of the integrity of the decrypted content and delivery of the requested instruction word if the result of the verification is representative of an integral content.
More particularly, according to one embodiment, the method comprises:
    • an initial phase, for example during the compilation of the program code, prior to step a), comprising storage of the modified, compiled and encrypted program code in memory locations of an initial memory, for example a nonvolatile memory of the FLASH type, external to the information processing module, these memory locations here again corresponding to data fields of cache lines, the modified compiled program code comprising instruction word groups which are stored in the memory locations of the initial memory, each instruction word group comprising first instruction words resulting from the compilation of the program code and a second instruction word, for example a “no operation” (better known to the person skilled in the art by the acronym “NOP instruction”: No OPeration), all the second instruction words being identical and located respectively at reference positions in the corresponding instruction groups (these reference positions may occupy identical places, for example the last place, in the corresponding instruction groups, or the place of a reference position in the corresponding group may be calculable on the basis of a parameter of the group, for example the address of the cache line or that of its associated memory location),
    • a first phase, for example during the startup (boot) phase, comprising decryption of the modified and compiled code, replacement of the second instruction word of each instruction group with a check indication obtained on the basis of at least some of the first instruction words of the instruction group, for example a “checksum” so as to form a modified instruction group, and encryption of the modified instruction groups, the step a) then comprising storage of the modified encrypted instruction groups in the memory locations of the first memory, for example the DRAM memory,
    • and the verification of the integrity of the decrypted content comprises verification of the integrity of the check indication, an integral check indication being representative of the integral nature of the decrypted content, and if the result of the verification is representative of an integral content, the method furthermore then comprises, before delivery of the requested instruction word to the central unit, replacement of the check indication with the second instruction word, in the case in point the NOP instruction.
A scheme for protecting the program code is then obtained, which is distributed all along the production and execution sequence of this program code, that is to say during the compilation of the program code, during the delivery of this program code from the FLASH memory to the DRAM memory, and during the execution of the program code, by virtue of the fact that the decryption of the program code portion delivered to the microprocessor in the event of a cache miss is only carried out inside the microprocessor, and more particularly locally at the level of the cache memory.
As indicated above, the control indication may be a checksum, and the verification of the integrity of the check indication then comprises, after decryption of the encrypted content, a new calculation of a checksum and a comparison of the checksum present in the decrypted content and the newly calculated checksum.
In order to increase the level of security even more, it is particularly favorable for the first phase to furthermore comprise verification of the integrity of the modified compiled program code before replacement of each second instruction word.
In this regard, the verification of the integrity of the modified program code may here again be carried out with the aid of an additional checksum calculated on the basis of the modified program code. Thus, by way of example, a checksum may be calculated before encryption of the modified program code and storage in the FLASH memory.
As indicated above, the first phase may be carried out when launching a startup program.
Another aspect provides a system, comprising
    • an information processing module comprising at least one level-one cache of a cache memory containing cache lines, each having an address field and a data field intended to store instruction words executable by the central unit of the information processing module,
    • a first memory, external to the information processing module, having memory locations corresponding to data fields of cache lines and intended to store the compiled and encrypted program code,
    • a first memory controller coupled to the first external memory,
    • a communication medium coupled to the first memory controller and to the information processing module,
    • the information processing module furthermore comprising control means configured in order, in the event of a request by the central unit for an instruction word not present in the data field of a cache line of the cache memory, to deliver on the communication medium to the first memory controller a command to read the encrypted content of the memory location containing the requested instruction word,
    • the first memory controller being configured in order to deliver this encrypted content to the information processing module,
    • the information processing module furthermore comprising decryption means configured in order to decrypt this encrypted content.
When the cache memory comprises the level-one cache and at least one higher-level cache, the decryption means are advantageously configured in order to carry out the decryption of the encrypted content at the level of the level-one cache.
According to one embodiment, the control means are configured in order, before the decryption of the encrypted content, to carry out storage of this encrypted content in the data field of a cache line of the cache memory.
According to another possible configuration, the control means are configured in order, after the decryption of the encrypted content, to carry out storage of the decrypted content in the data field of a cache line of the level-one cache of the cache memory.
According to another configuration, in the event of a request by the central unit for an instruction word present in the encrypted content of the data field of a cache line of the cache memory, the decryption means are configured in order to carry out decryption of the encrypted content locally at the level of the level-one cache.
According to a first variant, the control means are configured in order, after the decryption, to deliver the requested instruction word to the central unit.
According to another variant, the system furthermore comprises verification means configured in order, before delivery of the requested instruction word, to carry out verification of the integrity of the decrypted content and to deliver the requested instruction word if the result of the verification is representative of an integral content.
According to one embodiment, the system furthermore comprises
    • an initial memory, external to the information processing module, comprising memory locations corresponding to data fields of cache lines and intended to store a compiled and encrypted modified program code comprising instruction word groups, each instruction word group comprising first instruction words resulting from the compilation of the program code and a second instruction word, all the second instruction words being identical and located at reference positions, for example at the same reference position, in the corresponding instruction groups,
    • an initial memory controller coupled to the external initial memory and to the communication medium,
    • processing means configured in order to carry out decryption of the compiled modified code, to replace the second instruction word of each instruction group with a check indication obtained on the basis of at least some of the first instruction words of the instruction group, so as to form a modified instruction group, and to encrypt the modified instruction groups with a view to the storage of the encrypted modified instruction groups in memory locations of the first memory,
    • and the verification means are configured in order to carry out verification of the integrity of the check indication, an integral check indication being representative of the integral nature of the decrypted content, and if the result of the verification is representative of an integral content, in order to replace, before delivery of the requested instruction word to the central unit, the check indication with the second instruction word.
According to one embodiment, the check indication is a checksum, and the verification means comprise calculation means configured in order to carry out, after decryption of the encrypted content, a new calculation of a checksum and a comparison of the checksum present in the decrypted content and the newly calculated checksum.
According to one embodiment, the processing means furthermore comprise initial verification means configured in order to carry out verification of the integrity of the modified compiled program code before replacement of each second instruction word.
In this regard, the initial verification means may comprise initial calculation means configured in order to calculate an additional checksum on the basis of the modified program code.
The system may comprise a startup controller advantageously containing the processing means.
The system may be a system-on-chip.
Another aspect provides an information processing module, for example a processor or a microprocessor, comprising
    • an interface intended to be coupled to a communication medium,
    • a central unit,
    • at least one level-one cache of a cache memory containing cache lines, each having an address field and a data field intended to store instruction words executable by the central unit of the information processing module,
    • control means configured in order, in the event of a request by the central unit for an instruction word not present in the data field of a cache line of the cache memory, to deliver on the communication medium to an external memory a command to read the encrypted content of the memory location of this external memory containing the requested instruction word, the interface being configured in order to receive this encrypted content, and
    • decryption means configured in order to decrypt this encrypted content.
According to one embodiment, the control means are configured in order, before the decryption of the encrypted content, to carry out storage of this encrypted content in the data field of a cache line of the cache memory.
According to another possible embodiment, the control means are configured in order, after the decryption of the encrypted content, to carry out storage of the decrypted content in the data field of a cache line of the level-one cache of the cache memory.
According to one embodiment, in the event of a request by the central unit for an instruction word present in an encrypted content of the data field of a cache line of the cache memory, the decryption means are configured in order to carry out decryption of the encrypted content locally at the level of the level-one cache.
According to a first possible variant, the control means are configured in order, after the decryption, to deliver the requested instruction word to the central unit.
According to another possible variant, the module furthermore comprises verification means configured in order, before delivery of the requested instruction word, to carry out verification of the integrity of the decrypted content of the data field of a cache line and to deliver the requested instruction word if the result of the verification is representative of an integral content.
According to one embodiment, the decrypted content of the data field of a cache line contains an instruction word group comprising first instruction words relating to a compiled program code and a check indication, obtained on the basis of at least some of the first instruction words and located at a reference position in the cache line, which may be the same for all the cache lines, and the verification means are configured in order to carry out verification the integrity of the check indication, an integral check indication being representative of the integral nature of the decrypted content, and if the result of the verification is representative of an integral content, in order to replace, before delivery of the requested instruction word to the central unit, the check indication with a second instruction word, this instruction word being identical for all the cache lines.
The second instruction word may be a no operation instruction, and the check indication may be a checksum, and the verification means then for example comprise calculation means configured in order to carry out, after decryption of the decrypted content, a new calculation of a checksum and a comparison of the checksum present in the decrypted content and the newly calculated checksum.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
Non-limiting and non-exhaustive embodiments are described with reference to the accompanying drawings, wherein like labels refer to like parts throughout the various views unless otherwise specified. Other objects, characteristics and advantages of the invention will become apparent on studying the detailed description of embodiments and the appended figures, in which:
    • FIG. 1 is a block diagram of a system according to one embodiment of the invention;
    • FIG. 2 is a schematic view of an instruction cache of the system of FIG. 1;
    • FIG. 3 is a flowchart of a part of a method according to one embodiment of the present disclosure;
    • FIG. 4 is a flowchart of another part of the method according to one embodiment of the present disclosure;
    • FIG. 5 is a flowchart of another part of the method according to one embodiment of the present disclosure;
    • FIG. 6 is a flowchart of another part of the method according to one embodiment of the present disclosure;
    • FIG. 7 is a flowchart of another part of the method according to one embodiment of the present disclosure;
    • FIG. 8 is a flowchart of another part of the method according to one embodiment of the present disclosure;
    • FIG. 9 is a flowchart of another part of the method according to one embodiment of the present disclosure;
    • FIG. 10 is a block diagram illustrating a multi-level cache and decryption and/or verification according to one embodiment of the present disclosure.
 DETAILED DESCRIPTION
In FIG. 1, the reference SYS denotes a system, for example a system-on-chip (SoC), comprising an information processing module 1, for example a microprocessor, coupled to a communication medium 2, in the case in point a network-on-chip (NoC).
Further to the microprocessor 1, the system SYS comprises a memory 4, also referred to as the initial memory, for example a nonvolatile memory of the FLASH type, associated with an initial memory controller 3 coupled to the network 2.
The system SYS also comprises another memory 6, also referred to as the first memory, for example a DRAM memory, as well as an associated first memory controller 5 also coupled to the network 2.
The system SYS also comprises various modules or IP, 7 (a single one being represented for the sake of simplicity) also coupled to the network 2.
Lastly, in the present case the system SYS comprises a startup controller 18 (“boot controller”), also coupled to the network 2 and configured in order to launch a startup (“boot”) sequence of the system SYS, and in particular of the microprocessor 1.
In the present case, the startup controller 18 comprises processing means 180, themselves comprising initial verification means 1800 including initial calculation means 1801, which may for example be implemented as software, and which will be returned to in more detail below regarding their function.
The microprocessor 1 comprises an interface 10 coupled to the network 2, a central unit 11 (also known to the person skilled in the art by the acronym CPU: “Central Processing Unit”).
In this exemplary embodiment, the processor 1 also comprises a cache memory 12, which will be assumed here only to be of level 1 comprising a level-1 instruction cache 120 and a level-1 data cache 130.
The processor 1 also comprises a cache controller 14, as well as control means 15, decryption means 16 and verification means 17, the functions of which will be returned to in more detail below.
The system SYS furthermore comprises a compiler 19.
As is conventional in the art, and illustrated in FIG. 2, the instruction cache 120 comprises cache lines LCHj, each comprising an address field TGj and a data field CHDj. The data field CHDj comprises a plurality of instruction words executable by the central unit 11 of the microprocessor, and the address field TGj comprises the address of the data field CHDj in the first memory 6.
Some bits of this address make it possible to identify the various instruction words present in the data field CHDj.
Various embodiments of the method according to the disclosure will now be described with reference to FIGS. 3 to 9.
In FIG. 3, the reference CP denotes a program code intended to be executed by the microprocessor 1.
In step 30, the program code CP is compiled and supplemented with specific instruction words, in the case in point no operation instructions (NOP instructions), so as to obtain a compiled and modified program code CPM.
As illustrated in this FIG. 3, this compiled modified program code CPM comprises instruction word groups Ji.
Each instruction word group Ji comprises first instruction words MI1 resulting from the compilation of the program code and a second instruction word, in the case in point an NOP instruction, all the second instruction words being identical and located at the same position in the corresponding instruction groups.
In the example described here, the NOP instruction is placed at the last place of each instruction group Ji.
This being the case, this place could be different so long as it is, for example, identical in each of the groups or easily calculable.
Likewise, the second instruction word could be an instruction other than the NOP instruction, but this would then require the sacrifice of a register of the microprocessor because such an instruction can be executed by the processor.
So as to allow a first level of integrity verification, the compiler 19 carries out a calculation 31 of a checksum CHS1 on the basis of at least some, and in practice all, of the instruction words of the compiled modified program code. The compiled modified program code CPM, as well as the checksum CHS1, are encrypted (step 32) by conventional encryption means, which may be incorporated in the compiler 19. By way of nonlimiting example, an algorithm of the AES type may be used as the encryption algorithm.
The modified, compiled and encrypted program code is then stored (step 33) under the control of the memory controller 3, in memory locations EM0 i of the initial memory 4. These memory locations correspond to data fields of cache lines.
The protection method then comprises a first phase, advantageously carried out during the startup (“boot”) phase 34 of the processor. The operations which will now be described are typically carried out by the startup controller 18.
The processing means 180 of the startup controller 18 carry out decryption 35 of the compiled modified program code and of the checksum CHS1, which are stored in the initial memory 4 and extracted from this memory via the memory controller 3.
The initial verification means 1800 then carries out verification 36 of the checksum CHS1. More particularly, in a conventional way, the initial calculation means 1801 are configured in order to calculate again an additional checksum on the basis of the modified program code CPM, and the initial verification means 1800 compare the checksum CHS1 with the additional checksum which has just been calculated (step 37, FIG. 4).
If the verification is found to be negative, that is to say if the two checksums are different, then this is representative of a nonintegral modified program code having been potentially corrupted.
In this case, specific error handling 38 may be applied. The content of such error handling varies depending on the applications and may for example consist in blocking the system SYS.
In the case in which the result of the comparison is positive, that is to say representative of an integral content of the modified program code CPM, the processing means 180 determine (step 39) for each instruction group Ji a checksum CHS2 i obtained on the basis of the instruction words MI1 and NOP of the group Ji and replace the second instruction word, in the case in point the NOP instruction, with this checksum CHS2 i, so as to form a modified instruction group JMi.
The processing means 180 then carries out encryption 40 of the modified instruction groups JMi and stores them (step 41) via the memory controller 5 in the memory locations EM1 i of the first memory 6.
Here again, these memory locations EM1 i correspond to data fields of cache lines.
At this stage, the program code is ready to be executed by the microprocessor 1.
This will be explained in more detail with reference to FIGS. 5 to 9.
It is assumed in FIG. 5 that, in a step 50, the central unit 11 of the microprocessor requests the instruction word MI.
The control means 15, which in practice may for example be implemented as software within the cache controller 14, verify by comparison of addresses in the various address fields TGj of the cache 12 whether this instruction word MI is present in a cache line LCH of the cache 120.
If this is not the case, that is to say in the event of a cache miss, the control means deliver on the network 2 (step 52) a command CMD to read the encrypted content of the memory location of the first memory 6 containing the requested instruction word. This command consequently contains the address of this memory location.
The memory controller 5 then extracts from this memory location its encrypted content, that is to say the modified encrypted instruction group, which is assumed in this example to be the group JMj.
The memory controller then delivers this encrypted group JMj on the network 2 to the microprocessor 1 (step 54).
In this alternative embodiment, the decryption means 16, which may also be implemented as software within the cache controller 14, then carry out decryption 55 of the modified encrypted instruction group JMj, and the verification means 17, which may also be incorporated as software within the cache controller, carry out verification 56 of the integrity of this decrypted content, that is to say of the decrypted modified instruction group JMj.
In this regard, the verification means will verify the integrity of the checksum CHS2 j (step 57).
This verification is carried out in a conventional way by recalculation of a new checksum CHS2j and by a comparison of the received checksum CHS2 j and the calculated checksum CHS2j.
In the event of a negative comparison, representative of nonintegrity of the received modified instruction group, the cache controller may implement specific error handling 58.
In the event that the verification of the checksum is representative of an integral content of the modified instruction group JMj received, the verification means 17 replace the checksum CHS2 j with the second instruction word, in the case in point the NOP instruction, so as to obtain again the instruction group Jj which had been obtained at the end of step 30 in FIG. 3.
This instruction group Jj, which comprises the first instruction words MI1 and the NOP instruction, is then stored (step 60) in the data field of a cache line, in the case in point the cache line LCHm.
The requested instruction word MI is then delivered (step 61) to the central unit 11 with a view to its execution, in which case the requested instruction word MI may be either one of the instruction words MI1 or the NOP instruction.
In this embodiment, it is assumed that the decryption of an encrypted content and the verification of the integrity of the decrypted content were carried out before storage in a cache line. Under these conditions, if in step 51 the requested instruction word MI already belongs to a cache line LCH its delivery is carried out directly (step 61).
Other alternative embodiments are possible.
Thus, as illustrated in FIG. 7, after delivery of the encrypted modified instruction group JMj to the microprocessor 1, storage of this encrypted group JMj in a cache line, in the case in point the cache line LCHm, may be carried out directly (step 70).
The decryption means 16 then carry out the decryption of the modified instruction group JMj (step 71), and the verification means 17 carry out (step 72) verification of the integrity of the decrypted modified instruction group in a similar way to that described above with reference to step 56 of FIG. 5.
In the case in which this verification processing is representative of a nonintegral content (step 73), error handling 74 is implemented.
If the verification processing is found to be positive, that is to say representative of an integral content of the modified instruction group JMj, the verification means then carry out (step 75) replacement of the checksum CHS2 j with the NOP instruction in a similar way to that described with reference to step 59 of FIG. 6, so as to restore the instruction group Jj then, in step 76, deliver the requested instruction word MI.
If, as illustrated in FIG. 8, the requested instruction word MI belongs to a line LCH, for example the cache line LCHm, the data field which is encrypted, then step 71 of FIG. 7 is proceeded to directly (step 81) in order then to carry out steps 72, 73, optionally 74, 75 and 76.
It is also possible, as illustrated in FIG. 9, in the case in which the requested instruction word MI belongs to a cache line LCH (step 90), for example the cache line LCHm already decrypted, that the verification processing is carried out not before the storage of the decrypted content in the cache line but after the storage, before delivery of the requested instruction word.
In this case, step 91 leads directly to step 56 of FIG. 5 so as to execute steps 56, 57, optionally 58 and 59 to 61.
Throughout the description above, it was assumed that the cache memory comprised only a level-one cache.
This being the case, as illustrated in FIG. 10, the cache memory may be a hierarchy of caches and comprise caches of different levels, for example a level-one cache 120 1, a level-two cache 120 2 and a level-three cache 120 3.
Some of these caches, for example the level-three cache, may even be located outside the microprocessor.
In this case, the features discussion above, namely the decryption and the integrity verification, are carried out locally at the level of the level-one cache. In other words, any content decryption will be carried out only either between the level-two cache and the level-one cache or downstream of the level-one cache before delivery of the instruction word to the central unit. Furthermore, any content extracted from the memory 6 will remain encrypted so long as it remains present in a cache of a level higher than level one.
Each cache is associated with a cache controller.
If the requested instruction word is not present in the level-one cache but is present in the level-two cache, for example, the content of the corresponding cache line of the level-two cache remains encrypted in the level-two cache and is delivered by the level-two cache controller to the level-one cache controller. The latter may then store the encrypted content in the cache line of the level-one cache before the decryption, or may alternatively carry out the decryption first before storage.
In the case in which the requested instruction word does not belong to any cache, that is to say in the event of a cache miss, the encrypted content extracted from the DRAM memory is delivered to the level-three cache controller, which is assumed here to be outside the microprocessor. At this stage, the level-three controller may either update the level-3 cache by storing the encrypted content therein then deliver the encrypted content to the microprocessor, and more particularly to the level-two cache controller, or may alternatively deliver the encrypted content directly to the level-two cache controller before updating the level-three cache.
The level-two cache controller may either update the level-2 cache by storing the encrypted content therein then deliver the encrypted content to the level-one cache controller, or alternatively deliver the encrypted content directly to the level-one cache controller before updating the level-two cache. Furthermore, here again, the level-one cache controller may then store the encrypted content in the cache line of the level-one cache before decryption, or alternatively carry out the decryption first before storage.
The invention is not limited to the embodiments which have just been described, but encompasses all variants thereof.
Thus, in a simplified variant, if conduct of the integrity verification processing is not desired, it is possible simply to carry out decryption of the encrypted content extracted from the DRAM memory and deliver the requested instruction word.
Furthermore, the system is not necessarily a system-on-chip (SoC) but may, for example, comprise a processor and external memories connected on a board and mutually coupled by a conventional bus.
A means, or module, as used herein may include a hardware module, such as one or more electronic circuits; a software module, such as one or more processor-executable instructions or one or more representations of processor-executable instructions; or a combined hardware and software module.
The various embodiments described above can be combined to provide further embodiments. These and other changes can be made to the embodiments in light of the above-detailed description. In general, in the following claims, the terms used should not be construed to limit the claims to the specific embodiments disclosed in the specification and the claims, but should be construed to include all possible embodiments along with the full scope of equivalents to which such claims are entitled. Accordingly, the claims are not limited by the disclosure.

Claims (37)

The invention claimed is:
1. A method to protect program code, comprising:
providing an information processing module having a central processing unit configured to execute the program code;
associating a cache memory with the information processing module, the cache memory having at least one level-one cache, the at least one level-one cache having cache lines, each cache line of the cache lines having two separate and distinct fields, the two separate and distinct fields including an address field and a data field, wherein during execution of the program code, address information is stored in the address field and instruction words of the program code are stored in the data field, the address information stored in the address field corresponding to an address in a first memory where the instruction words of the program code are stored;
storing compiled and encrypted program code in memory locations of the first memory, the first memory external to the information processing module, the memory locations corresponding to data fields of the cache lines, wherein the compiled and encrypted program code includes instruction word groups, each instruction word group of the instruction word groups including first instruction words that result from a compilation of the program code and a second instruction word that does not result from the compilation of the program code, the second instruction word of the each instruction word group of the instruction word groups being identical and located respectively at a reference position in the each instruction word group of the instruction word groups
decrypting the compiled and encrypted program code;
replacing the second instruction word of the each instruction word group of the instruction word groups with a check indication obtained based on at least some of the first instruction words of the each instruction word group of the instruction word groups to form modified instruction groups;
encrypting the modified instruction groups; and
storing the encrypted modified instruction groups in the memory locations of the first memory; and
in response to receiving a request from the central processing unit for an instruction word not present in the data field of a cache line of the cache memory:
extracting from the first memory encrypted content of a memory location containing the requested instruction word;
delivering the encrypted content to the information processing module; and
decrypting the encrypted content within the information processing module, wherein verifying the integrity of the decrypted content includes verifying integrity of an integral check indication, the integral check indication representing an integral nature of the decrypted content, and in response to a result of the verifying is representative of an integral content, before delivering the requested instruction word to the central processing unit, replacing the check indication with the second instruction word.
2. The method according to claim 1, wherein the cache memory having the level-one cache has at least one higher-level cache, and the decrypting of the encrypted content is carried out locally at a level of the level-one cache.
3. The method according to claim 1, comprising:
prior to the decrypting of the encrypted content, storing the encrypted content in the data field of a selected cache line of the cache memory.
4. The method according to claim 1, comprising:
subsequent to the decrypting of the encrypted content, storing the decrypted content in the data field of a selected cache line of the level-one cache of the cache memory.
5. The method according to claim 1, comprising:
in response to receiving a request from the central processing unit for an encrypted instruction word present in the data field of a selected cache line of the cache memory, decrypting the encrypted content within the information processing module locally at a level of the level-one cache.
6. The method according to claim 1, comprising:
subsequent to the decrypting of the encrypted content, delivering the requested instruction word to the central processing unit.
7. The method according to claim 1, comprising:
before the delivering of the encrypted content, verifying integrity of the decrypted content to produce a verification result; and
in response to the verification result is representative of an integral content, delivering the requested instruction word.
8. The method according to claim 1, wherein reference positions occupy identical positions in the instruction groups.
9. The method according to claim 1, wherein the second instruction word is a no operation instruction (NOP).
10. The method according to claim 1, wherein the integral check indication is a checksum, and verifying the integrity of the integral check indication includes, after decrypting the encrypted content, calculating a new checksum and comparing a checksum present in the decrypted content and the new checksum.
11. The method according to claim 1, comprising verifying the integrity of the compiled and encrypted program code before replacement of each second instruction word.
12. The method according to claim 11, wherein verifying the integrity of the compiled, modified, and encrypted program code includes an additional checksum calculated based on the compiled, modified, and encrypted program code.
13. The method according to claim 1, wherein the reference position is calculated by an algorithm.
14. The method according to claim 1, wherein the second instruction word is an executable instruction that uses at least one register of the central processing unit.
15. A system, comprising:
an information processing module having:
a central processing unit; and
a cache memory, the cache memory having at least one level-one cache, the cache memory containing cache lines, each cache line of the cache lines having two separate and distinct fields, the two separate and distinct fields including an address field and a data field, wherein address information is stored in the address field and instruction words executable by the central processing unit are stored in the data field, the address information stored in the address field corresponding to an address in a first memory where the instruction words executable by the central processing unit are stored;
a first memory, external to the information processing module, having memory locations corresponding to data fields of the cache lines, the first memory configured to store compiled and encrypted program code, wherein the compiled and encrypted program code includes instruction word groups, each instruction word group of the instruction word groups having first instruction words that result from a compilation of program code and a second instruction word that does not result from the compilation of the program code, the second instruction word of the each instruction word group of the instruction word groups being identical and located respectively at a reference position in the each instruction word group of the instruction word groups
a first memory controller coupled to the first memory;
a communication medium coupled between the first memory controller and the information processing module;
a control module configured to deliver to the first memory controller on the communication medium, a command to read encrypted content of a memory location containing a requested instruction word, the delivery carried out when the central processing unit requests the instruction word and when the instruction word is not present in the data field of a corresponding cache line of the cache memory, wherein the first memory controller is configured to deliver encrypted content to the information processing module;
a decryption module configured to decrypt the encrypted content;
a processing module configured to:
decrypt the compiled and encrypted program code;
replace the second instruction word of the each instruction word group of the instruction word groups with a check indication obtained based on at least some of the first instruction words of the each instruction word group of the instruction word groups to form modified instruction groups;
encrypt the modified instruction groups; and
store the encrypted modified instruction groups in memory locations of the first memory; and
a verification module configured to verify integrity of an integral check indication, the integral check indication representing an integral nature of the decrypted content, and in response to a result of the verification is representative of an integral content, before delivering the requested instruction word to the processing unit, replacing the check indication with the second instruction word.
16. The system according to claim 15, wherein the cache memory having the level-one cache has at least one higher-level cache, and wherein the decryption module is configured to decrypt the encrypted content locally at a level of the level-one cache.
17. The system according to claim 15, wherein the control module is configured to store the encrypted content in the data field of a selected cache line of the cache memory before decrypting the encrypted content.
18. The system according to claim 15, wherein the control module is configured to store decrypted content in the data field of a selected cache line of the level-one cache of the cache memory after the decryption of the encrypted content.
19. The system according to claim 15, wherein the decryption module is configured to carry out decryption of the encrypted content locally at a level of the level-one cache in response to a request by the central processing unit for an encrypted instruction word present in the data field of a selected cache line of the cache memory.
20. The system according to claim 19, wherein the processing module includes an initial verification module configured to verify integrity of the compiled and encrypted program code before replacement of each second instruction word.
21. The system according to claim 19, comprising:
a startup controller, the startup controller containing the processing module.
22. The system according to claim 15, wherein after decryption, the control module is configured to deliver the requested instruction word to the central processing unit.
23. The system according to claim 15, wherein:
the verification module is configured to verify integrity of the decrypted content before the requested instruction word is delivered and the verification module is configured to deliver the requested instruction word in response to a result of verifying the integrity of the decrypted content is representative of an integral content.
24. The system according to claim 15, wherein reference positions occupy identical positions in the instruction groups.
25. The system according to claim 15, wherein the second instruction word is a no operation instruction (NOP).
26. The system according to claim 15, wherein the integral check indication is a checksum, and the verification module includes a calculation module configured, after decrypting the encrypted content, to calculate a new checksum, wherein the verification module is configured to compare a checksum present in the decrypted content to the new checksum.
27. The system according to claim 15, wherein the verification module includes an initial calculation module configured to calculate an additional checksum based on the basis of the compiled and encrypted program code.
28. The system according to claim 15, wherein the system is formed in a system-on-chip.
29. An information processing module comprising:
an interface coupleable to a communication medium and coupleable to an external memory;
a central processing unit arranged to execute instruction words of compiled and encrypted program code, wherein the compiled and encrypted program code includes instruction word groups, each instruction word group of the instruction word groups including first instruction words that result from a compilation of the program code and a second instruction word that does not result from the compilation of the program code, the second instruction word of the each instruction word group of the instruction word groups being identical and located respectively at a reference position in the each instruction word group of the instruction word groups
a cache memory having at least one level-one cache, the cache memory containing cache lines, each cache line of the cache lines having two separate and distinct fields, the two separate and distinct fields including an address field and a data field, wherein address information is stored in the address field and instruction words executable by the central processing unit are stored in the data field, the address information stored in the address field corresponding to an address in the external memory where the instruction words executable by the central processing unit are stored;
a control module configured to deliver to the interface on the communication medium, a command to read encrypted content of a memory location of the external memory containing a requested instruction word, the delivery carried out when the central processing unit requests the instruction word and when the requested instruction word is not present in the data field of a corresponding cache line of the cache memory, the interface configured to receive the encrypted content;
a decryption module configured to decrypt the encrypted content; and
a verification module to verify integrity of the decrypted content of the data field of a selected cache line before the requested instruction word is delivered, the verification module being configured to deliver the requested instruction word in response to a result of verifying the integrity of the decrypted content is representative of an integral content, wherein:
the decrypted content of the data field of the selected cache line contains a selected instruction word group having the first instruction words relating to the compiled and encrypted program code and having a check indication that is based on at least some of the first instruction words and located at the reference position in the selected cache line;
the verification module is configured to, before delivering the requested instruction word to the central processing unit, verify integrity of an integral check indication to produce a verification result, the integral check indication representing an integral nature of the decrypted content, and in response to the verification result is representative of an integral content, replace the check indication with the second instruction word.
30. The module according to claim 29, wherein the cache memory having the level-one cache has at least one higher-level cache, and wherein the decryption module is configured to decrypt the encrypted content locally at a level of the level-one cache.
31. The module according to claim 29, wherein the control module is configured to store the encrypted content in the data field of a selected cache line of the cache memory before decrypting the encrypted content.
32. The module according to claim 29, wherein the control module is configured to store decrypted content in the data field of a selected cache line of the level-one cache of the cache memory after the decryption of the encrypted content.
33. The module according to claim 29, wherein the decryption module is configured to carry out decryption of the encrypted content locally at a level of the level-one cache in response to a request by the central processing unit for an encrypted instruction word present in the data field of a selected cache line of the cache memory.
34. The module according to claim 29, wherein the control module is configured to deliver the requested instruction word to the central processing unit after the decryption module decrypts the encrypted content.
35. The module according to claim 29, wherein reference positions are identical for all the cache lines.
36. The module according to claim 29, wherein the second instruction word is a no operation instruction (NOP).
37. The module according to claim 29, wherein the integral check indication is a checksum, and the verification module includes a calculation module configured, after decrypting the encrypted content, to calculate a new checksum, wherein the verification module is configured to compare a checksum present in the decrypted content to the new checksum.
US14/610,924 2014-02-03 2015-01-30 Method for protecting a program code, corresponding system and processor Active 2036-08-03 US10613993B2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1400289 2014-02-03
FR1400289A FR3017226B1 (en) 2014-02-03 2014-02-03 METHOD FOR SECURING A PROGRAM CODE, SYSTEM AND CORRESPONDING PROCESSOR

Publications (2)

Publication Number Publication Date
US20150220456A1 US20150220456A1 (en) 2015-08-06
US10613993B2 true US10613993B2 (en) 2020-04-07

Family

ID=51260899

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/610,924 Active 2036-08-03 US10613993B2 (en) 2014-02-03 2015-01-30 Method for protecting a program code, corresponding system and processor

Country Status (2)

Country Link
US (1) US10613993B2 (en)
FR (1) FR3017226B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11200347B1 (en) * 2015-08-28 2021-12-14 Frank R. Dropps Secure controller systems and associated methods thereof
US20220245052A1 (en) * 2021-02-02 2022-08-04 Thales DIS CPL USA, Inc Method and device of protecting a first software application to generate a protected software application

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3047585B1 (en) 2016-02-09 2018-03-09 Stmicroelectronics (Rousset) Sas METHOD AND DEVICE FOR MONITORING THE EXECUTION OF A PROGRAM CODE
KR102445243B1 (en) * 2017-10-23 2022-09-21 삼성전자주식회사 Data encryption method and electronic apparatus thereof
CN112567366B (en) 2018-05-28 2024-10-11 加拿大皇家银行 System and method for securing an electronic transaction platform

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6044450A (en) * 1996-03-29 2000-03-28 Hitachi, Ltd. Processor for VLIW instruction
US20080141279A1 (en) * 2006-10-06 2008-06-12 Peter Mattson Software development for parallel processing systems
US20090177873A1 (en) * 2006-07-18 2009-07-09 Taichi Sato Instruction generation apparatus
US20100030967A1 (en) * 2008-07-31 2010-02-04 Samsung Electronics Co., Ltd. Method and system for securing instruction caches using substantially random instruction mapping scheme
US20100042824A1 (en) * 2008-08-14 2010-02-18 The Trustees Of Princeton University Hardware trust anchors in sp-enabled processors
US20100332850A1 (en) * 2009-06-26 2010-12-30 International Business Machines Corporation Cache structure for a computer system providing support for secure objects
US20120144195A1 (en) * 2009-08-14 2012-06-07 Azuki Systems, Inc. Method and system for unified mobile content protection
US20130091387A1 (en) * 2010-03-26 2013-04-11 Software Diagnostics Technology Gmbh Method for Automatically Generating a Trace Data Set for a Software System, a Computer System, and a Computer Program Product
US20140237255A1 (en) * 2011-09-29 2014-08-21 Robert Paul Martin Decryption and Encryption of Application Data
US20140282883A1 (en) * 2013-03-13 2014-09-18 Ronald Simon CHAN System and method for distributing, monitoring and controlling information
US20150052288A1 (en) * 2013-08-14 2015-02-19 Micron Technology, Inc. Apparatuses and methods for providing data from a buffer

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6044450A (en) * 1996-03-29 2000-03-28 Hitachi, Ltd. Processor for VLIW instruction
US20090177873A1 (en) * 2006-07-18 2009-07-09 Taichi Sato Instruction generation apparatus
US20080141279A1 (en) * 2006-10-06 2008-06-12 Peter Mattson Software development for parallel processing systems
US20100030967A1 (en) * 2008-07-31 2010-02-04 Samsung Electronics Co., Ltd. Method and system for securing instruction caches using substantially random instruction mapping scheme
US20100042824A1 (en) * 2008-08-14 2010-02-18 The Trustees Of Princeton University Hardware trust anchors in sp-enabled processors
US20100332850A1 (en) * 2009-06-26 2010-12-30 International Business Machines Corporation Cache structure for a computer system providing support for secure objects
US20120144195A1 (en) * 2009-08-14 2012-06-07 Azuki Systems, Inc. Method and system for unified mobile content protection
US20130091387A1 (en) * 2010-03-26 2013-04-11 Software Diagnostics Technology Gmbh Method for Automatically Generating a Trace Data Set for a Software System, a Computer System, and a Computer Program Product
US20140237255A1 (en) * 2011-09-29 2014-08-21 Robert Paul Martin Decryption and Encryption of Application Data
US20140282883A1 (en) * 2013-03-13 2014-09-18 Ronald Simon CHAN System and method for distributing, monitoring and controlling information
US20150052288A1 (en) * 2013-08-14 2015-02-19 Micron Technology, Inc. Apparatuses and methods for providing data from a buffer

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
Gelbart et al., "CODESSEAL: Compiler/FPGA Approach to Secure Applications," in Field Programmable Logic and Application, Springer Berlin Heidelberg, ISI 2005, LNCS 3495, pp. 530-535, 2005.
Milenković et al., "Hardware Support for Code Integrity in Embedded Processors," Proceedings of the 2005 International Conference on Compliers, Architectures and Synthesis for Embedded Systems, CASES '05, San Francisco, CA, Sep. 27-27, 2005, pp. 55-65.
Patel et al., "Ensuring Secure Program Execution in Multiprocessor Embedded Systems: A Case Study," 2007 5th IEEE/ACM/IFIP International Conference on Hardware/Software Codesign and System Synthesis (CODESS + ISSS), Salzburg, Austria, Sep. 30-Oct. 3, 2007, pp. 57-62.
Ragel et al., "IMPRES: Integrated Monitoring for Processor REliability and Security," ACM/IEEE Design Automation Conference, DAC 2006, San Francisco, CA, Jul. 24-28, 2006, pp. 502-505.
Zambreno et al., "SAFE-OPS: An Approach to Embedded Software Security," ACM Transactions on Embedded Computing Systems 4(1):189-210, Feb. 2005.

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11200347B1 (en) * 2015-08-28 2021-12-14 Frank R. Dropps Secure controller systems and associated methods thereof
US20220245052A1 (en) * 2021-02-02 2022-08-04 Thales DIS CPL USA, Inc Method and device of protecting a first software application to generate a protected software application
US11687440B2 (en) * 2021-02-02 2023-06-27 Thales Dis Cpl Usa, Inc. Method and device of protecting a first software application to generate a protected software application

Also Published As

Publication number Publication date
US20150220456A1 (en) 2015-08-06
FR3017226A1 (en) 2015-08-07
FR3017226B1 (en) 2016-01-29

Similar Documents

Publication Publication Date Title
US10540297B2 (en) Memory organization for security and reliability
US10613993B2 (en) Method for protecting a program code, corresponding system and processor
US20190042799A1 (en) Memory tagging for side-channel defense, memory safety, and sandboxing
US8914627B2 (en) Method for generating a secured boot image including an update boot loader for a secured update of the version information
US8281229B2 (en) Firmware verification using system memory error check logic
EP3320478B1 (en) Secure handling of memory caches and cached software module identities for a method to isolate software modules by means of controlled encryption key management
JP4876053B2 (en) Trusted device integrated circuit
KR20200064968A (en) Anti-rollback version upgrade in secured memory chip
US10565130B2 (en) Technologies for a memory encryption engine for multiple processor usages
US20100058073A1 (en) Storage system, controller, and data protection method thereof
US8281154B2 (en) Encrypting data in volatile memory
CN104956374A (en) A method for software anti-rollback recovery
EP3271828B1 (en) Cache and data organization for memory protection
JP2022512051A (en) Integrity tree for memory integrity check
US20200233676A1 (en) Bios management device, bios management system, bios management method, and bios management program-stored recording medium
US20080084273A1 (en) Method and system for securely loading code in a security processor
US20170053124A1 (en) Processor and processor system
US20210117545A1 (en) Semiconductor device including secure patchable rom and patch method thereof
US10496825B2 (en) In-memory attack prevention
US12032478B2 (en) Electronic apparatus for time series data management, and method and storage medium
CN111931190B (en) Starting method based on XIP processor system
US12015689B2 (en) Container management for cryptanalysis attack protection
CN111400701A (en) Public financial system for processing data at high speed
US20090113207A1 (en) Secure overlay manager protection
US8127203B2 (en) Method, data processing apparatus and wireless device

Legal Events

Date Code Title Description
AS Assignment

Owner name: STMICROELECTRONICS SA, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:FEL, BRUNO;REEL/FRAME:034867/0640

Effective date: 20141023

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: STMICROELECTRONICS INTERNATIONAL N.V., SWITZERLAND

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:STMICROELECTRONICS SA;REEL/FRAME:060620/0769

Effective date: 20220630

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4